[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Mon Dec 3 06:36:25 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by ryan):
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
That defines the following cookie structure.
{{{
user name|expiration time|(data)k|HMAC( user name|expiration
time|data|session key, k)
where k=HMAC(user name|expiration time, sk)
and where sk is a secret key
}}}
To fulfill HMAC, we need the hash_hmac() function. We can fall back to
the Crypt_HMAC code from PEAR if that is not available.
(data)k requires two-way encryption. We have that only if the mcrypt
module is available. I don't know how widespread that is among hosts. I
think that the data field is optional, however. We don't have any
additional data we need to put in the cookie. Losing the data field loses
the mcrypt requirement.
Since most WP installs don't run over SSL, we have to drop session key.
The cookie now looks like this:
{{{
user name|expiration time|HMAC( user name|expiration time, k)
where k=HMAC(user name|expiration time, sk)
and where sk is a secret key
}}}
That looks pretty good, but leaves us with an attacker being able to
create a cookie if he has access to the secret key in the DB. I think we
can get around this by having part of the key defined in wp-config.php.
We currently save a randomly generated secret in the 'secret' field in the
options table. wp_salt() uses this for creating nonces. We can
supplement this secret by concatenating it with a SECRET_KEY defined in
wp-config.php. We can provide a default SECRET_KEY, but users will have to
change this to something unique for it to be effective in preventing an
intruder who knows the DB secret from creating a cookie. We don't allow
viewing wp-config.php from anywhere in WP, so SECRET_KEY should be safe
from intruders who can see the DB or who have gained user permissions. We
could drop the secret from the DB and use just SECRET_KEY, but this would
rely on users changing SECRET_KEY. We can't rely on that, so augmenting
SECRET_KEY with a randomly generated DB secret is necessary. Not everyone
will change the SECRET_KEY, but the option is there for those wanting
extra protection.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:29>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list